JFrog Security Research
< Back

XRAY-199960 - ClickHouse LZ4 RCE

CVE-2021-43305 | CVSS 8.8

JFrog Severity:high

Discovered ByUriya Yavnieliof the JFrog Security Research Team

Published 15 Mar, 2022 | Last updated 15 Mar, 2022

A heap overflow in ClickHouse can allow an authenticated network attacker to perform remote code execution

ClickHouse

ClickHouse (, 21.10.2.15), fixed in 21.10.2.15

There is no verification that the copy operations in the LZ4::decompressImpl loop and especially the arbitrary copy operation wildCopy<copy_amount>(op, ip, copy_end), don’t exceed the destination buffer’s limits. Note that the lengths of the overflow, as well as source’s allocation size and the overflowing byte contents are fully controlled by the user. Also note that specifically this size check happens after the copy operation while the other copy operations aren’t covered at all.

A low-privileged authenticated network attacker can trigger this issue by sending crafted LZ4 data in a decompression request.

This issue is very similar to CVE-2021-43304, but the vulnerable copy operation is in a different wildCopy call.

More info in JFrog's Blogpost -

00000000 26 fc 61 db c0 83 bb 0a db 58 5a f0 34 e1 30 f6 |&.a......XZ.4.0.|

00000010 82 0a c8 00 00 01 00 00 00 f0 ff ff ff ff ff ff |................|

00000020 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|

*

000000e0 ff ff 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |..AAAAAAAAAAAAAA|

000000f0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA|

*

0000c81a

No mitigations are provided for this vulnerability.

In order to fully fix this vulnerability, we recommend upgrading ClickHouse to version 21.10.2.15.

(JFrog) Security Vulnerabilities Found in ClickHouse Open-Source Software

NVD

< Back